Академический Документы
Профессиональный Документы
Культура Документы
Network Security
Application layer security supports widest range of interaction patterns Application layer security can provide (additional) confidentiality protection
i.e., over-and-above lower layer controls, or without lower layer confidentiality (depending on needs) Useful for highly sensitive data (e.g., keys)
10/14/2008 3
10/14/2008
E-mail Security Pretty Good Privacy (PGP) Key Rings PGP Certificates S/MIME Applications of S/MIME
Note
In e-mail security, the sender of the message needs to include the name or identifiers of the algorithms used in the message.
Note
In e-mail security, the encryption/decryption is done using a symmetric-key algorithm, but the secret key to decrypt the message is encrypted with the public key of the receiver and is sent with the message.
TCP/IP Protocol Suite 8
Figure 30.22
A plaintext message
Figure 30.23
An authenticated message
10
Figure 30.24
A compressed message
11
Figure 30.25
A confidential message
12
Figure 30.26
13
Note
In PGP, there can be multiple paths from fully or partially trusted authorities to any subject.
14
Figure 30.27
Trust model
15
Figure 30.28
16
Example 30.1
The following shows an example of an enveloped-data in which a small message is encrypted using triple DES.
17
30-4 FIREWALLS
All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. Figure 30.32 shows a firewall.
18
20
DNS Hierarchy
com
org
jp
21
Examples:
whitehouse.gov barney.the.purple.dinosaur.com monica.cs.rpi.edu
22
Domain Name
The domain name for a host is the sequence of labels that lead from the host (leaf node in the naming tree) to the top of the worldwide naming tree. A domain is a subtree of the worldwide naming tree.
23
Countries each have a top level domain (2 letter domain name). New top level domains include:
.aero .biz .coop .info .name .pro
24
DNS Organization
Distributed Database
The organization that owns a domain name is responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses. So - some machine run by RPI is responsible for everything within the rpi.edu domain.
25
rpi.edu DNS DB
Authoritative
26
DNS Clients
A DNS client is called a resolver. A call to getByName(host)is handled by a resolver (typically part of the client). Most Unix workstations have the file /etc/resolv.conf that contains the local domain and the addresses of DNS servers for that domain.
Netprog 2002 DNS 27
/etc/resolv.conf
domain rpi.edu 128.113.1.5 128.113.1.3
28
nslookup
nslookup is an interactive resolver that allows the user to communicate directly with a DNS server. nslookup is usually available on Unix workstations.
29
30
DNS Servers
Servers handle requests for their domain directly. Servers handle requests for other domains by contacting remote DNS server(s). Servers cache external mappings.
31
32
DNS Data
DNS databases contain more than just hostname-to-address records:
Name server records Hostname aliases Mail Exchangers Host Information NS CNAME MX HINFO
33
com
org
jp
34
Server Operation
If a server has no clue about where to find the address for a hostname, ask the root server. The root server will tell you what nameserver to contact. A request may get forwarded a few times.
35
36
Message Flags
QR: Query=0, Response=1 AA: Authoritative Answer TC: response truncated (> 512 bytes) RD: recursion desired RA: recursion available rcode: return code
38
Recursion
A request can indicate that recursion is desired - this tells the server to find out the answer (possibly by contacting other servers). If recursion is not requested - the response may be a list of other name servers to contact.
39
Question Format
Name: domain name (or IP address) Query type (A, NS, MX, ) Query class (1 for IP)
40
41
WHAT IS SNMP?
SNMP (Simple Network Management Protocol) is a UDP-based network protocol. It is used mostly in network management systems to monitor network.
Performance Management
-How smoothly is the network running? -Can it handle the workload it currently has?
SNMP
SNMP is a tool (protocol) that allows for remote and local management of items on the network including servers, workstations, routers, switches and other managed devices. Comprised of agents and managers
Agent - process running on each managed node collecting information about the device it is running on. Manager - process running on a management workstation that requests information about devices on the network.
SNMP Messages
SNMP messages may be initiated by either the network management system (NMS) or by the network element. An SNMP TRAP is a message which is initiated by a network element and sent to the network management system. For example, a router could send a message if one of it's redundant power supplies fails or a printer could send an SNMP trap when it is out of paper.
An SNMP GET is a message which is initiated by the network management system when it wants to retrieve some data from a network element. For example, the network management system might query a router for the utilization on a WAN link every 5 minutes
An SNMP SET is a message which is initiated by the NMS when it wants to change data on a network element. For example, the NMS may wish to alter a static route on a router.
GetNext
Retrieves the next value of the next lexical MIB variable
Set Changes the value of a MIB variable Trap An unsolicited notification sent by an agent to a management application (typically a notification of something unexpected, like an error)
SNMP Protocol
Defines format of messages exchanged by management systems and agents. Specifies the Get, GetNext, Set, and Trap operations
Nodes
Items in an SNMP Network are called nodes. There are different types of nodes.
Managed nodes
Typically runs an agent process that services requests from a management node
Management nodes
Typically a workstation running some network management & monitoring software
A node may not support SNMP, but may be manageable by SNMP through a proxy agent running on another machine
Message Preamble
PDU Body
SNMP Architecture
The SNMP architecture includes the following layers: SNMP Network Managers Master agents Subagents Managed components
SNMP Architecture
Languages of SNMP
Structure of Management Information (SMI)
specifies the format used for defining managed objects that are accessed via the SNMP protocol
http://www.sun.com/solstice/
http://www.microsoft.com/smsmgmt/ http://www.compaq.com/products/servers/ management/ http://www.redpt.com/
Electronic Mail
Electronic Mail
You know what you can do with email!
It offers a service that allows users to send messages to each other.
Electronic Mail
Three major components:
user agents mail servers simple mail transfer protocol: SMTP User Agent a.k.a. mail reader composing, editing, reading mail messages e.g., Eudora, Outlook, elm, Netscape Messenger outgoing, incoming messages stored on server
mail server user agent
user agent
mail server
user agent
user agent
2: Application Layer
67
mail server
user agent
user agent
2: Application Layer
68
Receiving host
69